Embed Size (px)
Citation preview
February 11, 2003 NANOG 27, Phoenix
Large-Scale Wireless NetworksUT’s case
Philippe HansetThe University of Tennessee
NANOG 27, Phoenix
The University of Tennessee~26K Students, ~4K faculty/staff at the Knoxville Campus, 15M assignable Sq Feet
NANOG 27, Phoenix
History of WLAN at UTK8 pilot projects by early Summer 2000(Lucent’s donation)…total success
President instructed a campus wide WLAN in one year, an a plan in 3 days(pilots and active ethernet required)
Started in January 2001, mostly accomplished by March 2002
NANOG 27, Phoenix
Critical Design Factors
Power over Ethernet (802.3AF)Project unthinkable if AC had to be pulled for 1200 APs
802.11b with 802.11a in mind(25 dB at 2.4 GHz extrapolatesto 18 dB at 5 GHz)4 channels instead of 3
NANOG 27, Phoenix
Aggressive DeploymentKnowledge of campus wiring comesfirst, wireless can be taughtSurvey the survey (maps before and after)Scripting 101 for ContractorsCentralize cat5 drops to save powerinjectorsCentrally deployed, with AUP(UT “owns” 2.4 and 5 GHz)Access is a key factor
NANOG 27, Phoenix
SurveysSubstantial variation in WLAN cardssensitivitySame antennas before and afterEmpty/Full buildingsInter-Building interferencesVertical usually better than HorizontalA dolly with a 12V battery and a power inverter
NANOG 27, Phoenix
A few Big VLANsConsidering the complexity and early stage of Mobile IP, UT decided to provide roaming to wireless users through the extensive usage of VLAN-trunks. A few huge flat networks. The main one has 920 APsWireless-VLANs prevents IP contention in local subnetsOn average, 40Kbps of broadcast traffic(no multicast nightmare…so far)
NANOG 27, Phoenix
Private IPs for APsSaves 1200 IPs in UT’s caseSecurity by obscurityEasy to extract from ARP (home grown monitoring tool)Impersonate an AP gets you nowhere(web authentication gateways)Permits a practical IP numbering,quite useful to locate APs in huge VLANs
NANOG 27, Phoenix
Numbering and NamingWSS13 is a wireless device in StudentServices, first floor, 3rd AP.WHTAG is a wireless device in Huge Tower10th floor, 16th AP (36 floors, 35 APs MAX)If DNS fails: AP is in VLAN1 connected to same switch as local wired subnet 160.36.24.0/24, its IP will be 10.1.24.xUnrelated but useful: color coded patch cables
NANOG 27, Phoenix
ManagementAPs are everywhere
Hide and Seek (sticker or not)Location Maps with accurate positioning(XP doesn’t reference AP-ID)Naming conventionActive Ethernet (remote control)
PERL/SNMP at the momentNew niche for management softwareCannot VLAN-trunk everywhere
NANOG 27, Phoenix
Security trendsOriginal test was wide-openTried to enforce WEP with pilots:Unmanageable, no support for Appleat the time. WEP+ is fine for PTPMassive deployment used a fully authenticated and encrypted solution(1200 firmware changes in 5 days!)Semi-open at the moment with silentmonitoring based on DHCP registration
NANOG 27, Phoenix
No SecurityImportant Information Regarding WIRELESS SECURITY The new wireless network offers NO security features. Anything that you send across the wireless network will be visible to others. If you check your email on the wireless network using one of the typical email clients (Outlook, Outlook Express, Eudora, Netscape Mail, etc), your username, password, and email will all be visible to anyone in the general area. This does not mean that you cannot check your email on the wireless network. It only means that you must be careful how you do so. Here are some things you should do: 1. USE WEBMAIL -- https://webmail.utk.edu is a secure site, so you can securely check your email via Webmail.2. USE SSL -- When visiting websites that need to be encrypted (online banking, etc), make sure that you are connected to the site securely by checking for the glowing or locked padlock in your web browser. If you are connected to the site securely, then all of your communication with that website is encrypted.3. USE VPN -- A more complete solution is offered by using a Virtual Private Network client while connected to wireless. A Virtual Private Network (VPN) creates an encrypted tunnel through which you transmit data. Using a VPN connection, all of your traffic over wireless will be encrypted. More information about the above issues, including a link to the VPN client, is available
at http://wireless.utk.edu/security.
NANOG 27, Phoenix
Home Grown solution
ARP tables of Wireless VLANSare collected every 5 minutesChecked against DHCP registrationdatabase, which resides on LDAPUn-identified MAC are filtered atthe switch, in CAM table.In 8 months, only 6 cases
NANOG 27, Phoenix
Off-the-shelve Authentication UT explored off-the-shelve solutions,WEB basedIntegrates with most existing solutions(LDAP, RADIUS, SQL…)Provides “a la carte” services based onusers identity (can be contoured)as a faculty said “just beat the cheating curve”Visitors…show me the credentials, sponsors
NANOG 27, Phoenix
Encryption
Convenience before SecurityWe had it, it failed…better be perfectbefore another essay (802.11i)Make it as ubiquitous as PPPOur worst nightmare: POP and IMAP(What about Ebay?) use VPN if your info is sensitive
NANOG 27, Phoenix
Interesting Happenings
Rogues APs, where service is notavailable (eg: Dormitories)
How to detect rogues APs (MAC, driving)
Faculty wanting to stop servicesduring exams (jammers illegal in US)WISP without consentUnknown Boxes in ceilings
NANOG 27, Phoenix
Wireless Utilization (4000 registered users)
0
200
400
600
800
1000
1200
1400
1600
1800
2000
1-Jun-02
1-Jul-02
31-Jul-02
30-Aug-02
29-Sep-02
29-Oct-02
28-Nov-02
28-Dec-02
27-Jan-03
Time (Day)
Uni
que
MA
C a
ddre
sses
NANOG 27, Phoenix
b a g
b worksa is not practical, mostly becauseof antenna restrictionsg keeps comingEvery b joining the AP will slow downthe gees
NANOG 27, Phoenix
a and b ranges2.4 / 5.2 GHz Radio Coverage
20
30
40
50
60
70
80
90
100
10 20 30 40 50 60 70 80 90 100Cell Radius (m)
Dat
a R
ate
Ava
ilabi
lity
2.4 GHz, 1 Mbps2.4 GHz, 5.5 Mbps2.4 Ghz, 11 Mbps5.2 GHz, 6 Mbps5.2 Ghz, 24 Mbps5.2 GHz, 54 Mbps
Courtesy of :
